Meta Platforms announced it has taken measures to combat malicious activities originating from eight firms in Italy, Spain, and the United Arab Emirates (UAE) engaged in the surveillance-for-hire industry.
Meta Warns of 8 Spyware Companies
The findings were reported in Meta’s Adversarial Threat Report for the fourth quarter of 2023. The spyware targeted iOS, Android, and Windows devices, with capabilities to collect and access a wide range of data, including device information, location, photos and media, contacts, calendar, email, SMS, social media, messaging apps, and enable microphone, camera, and screenshot functionality, the company stated.
The eight companies identified are Cy4Gate/ELT Group, RCS Labs, IPS Intelligence, Variston IT, TrueL IT, Protect Electronic Systems, Negg Group, and Mollitiam Industries.
According to Meta, these firms were involved in scraping, social engineering, and phishing activities targeting various platforms, including Facebook, Instagram, Twitter, YouTube, Skype, GitHub, Reddit, Google, LinkedIn, Quora, Tumblr, VK, Flickr, TikTok, Snapchat, Gettr, Viber, Twitch, and Telegram.
A network of fictitious personas linked to RCS Labs, owned by Cy4Gate, reportedly deceived users into providing their phone numbers and email addresses, as well as clicking on bogus links for reconnaissance purposes.
In another instance, Facebook and Instagram accounts linked to Spanish spyware vendor Variston IT were utilized for exploit development and testing, including the dissemination of malicious links. Recent reports indicate that the company is in the process of shutting down its operations.
Meta also reported identifying accounts used by Negg Group to test the delivery of its spyware. Additionally, accounts associated with Mollitiam Industries, a Spanish firm advertising data collection services and spyware targeting Windows, macOS, and Android, were identified for scraping public information.
As countermeasures, the company has introduced new features such as enabling Control Flow Integrity (CFI) on Messenger for Android and implementing VoIP memory isolation for WhatsApp to increase the difficulty of exploitation and reduce the overall attack surface.
Despite these efforts, the surveillance industry continues to thrive in various unexpected forms. Last month, 404 Media, building on previous research from the Irish Council for Civil Liberties (ICCL) in November 2023, uncovered a surveillance tool called Patternz. This tool utilizes real-time bidding (RTB) advertising data gathered from popular apps like 9gag, Truecaller, and Kik to track mobile devices.
“Patternz enables national security agencies to leverage real-time and historical user advertising data to detect, monitor, and predict user actions, security threats, and anomalies based on users’ behavior, location patterns, and mobile usage characteristics, as claimed by ISA, the Israeli company behind the product.
Last week, Enea disclosed a previously unknown mobile network attack called MMS Fingerprint, purportedly used by Pegasus-maker NSO Group. This information was detailed in a 2015 contract between the company and the telecom regulator of Ghana.”
While the exact method remains somewhat mysterious, the Swedish telecom security firm suspects it likely involves the use of MM1_notification.REQ, a special type of SMS message known as a binary SMS that notifies the recipient device of an MMS waiting for retrieval from the Multimedia Messaging Service Center (MMSC).
The MMS is then fetched via MM1_retrieve.REQ and MM1_retrieve.RES, with the former being an HTTP GET request to the URL address contained in the MM1_notification.REQ message.
What’s notable about this approach is that user device information such as User-Agent (distinct from a web browser User-Agent string) and x-wap-profile is embedded in the GET request, effectively acting as a fingerprint.
“The (MMS) User-Agent is a string that typically identifies the OS and device,” Enea explained. “x-wap-profile points to a UAProf (User Agent Profile) file that describes the capabilities of a mobile handset.”
A threat actor seeking to deploy spyware could utilize this information to exploit specific vulnerabilities, tailor malicious payloads to the target device, or even craft more effective phishing campaigns. However, there is no evidence suggesting that this security vulnerability has been exploited in the wild in recent months.
Leave A Comment